Posted March 3Mar 3 Dear Frank and Joern, Attached is a short summary of the content of recent chat logs between GEMBE and a confidential informant, from Agent Mike Gordon (he did a short summary, because the logs are many pages). He can fax these to the Legat office, or email them to me on our internal email system. Let me know how urgently you need these. Seattle advised that they can send the emails between Valve and GEMBE, but it is about 40 pages. They are sending this to the Legat Frankfurt office via our internal email system. If you want this immediately, I can fax it to you. 04/12/2004 - Microsoft Release patch concerning the LSASS Vulnerability - CAN-2003-0533 04/14/2004 - Comments made indicate that "PhaTTy" and "evilbyte: are working on LSASS exploits 04/16/2004 - Wonk/Ago indicates that he is developing an LSASS exploit and almost identified the appropriate function call 04/17/2004 - Wonk/Ago indicates that he is still working on the LSASS exploit 04/18/2004 - Wonk/Ago identified the buffer and has to craft RPC packets with longer strings, at which point it will be provided to the group "xfocus" in exchange for additional 0-day exploits, doesn't currently plan to make a scanner or place in bots due to fear of bounty being placed by Microsoft. Wonk/Ago indicated that he would use the LSASS exploit on some "high profile" sites and that "some critical infrastructure" does not patch because of difficulties. Wonk/Ago prefers to be "stealthy" and gather information. Successfully exploited the vulnerability on Windows 2000 and Windows XP Home OS. 04/19/2004 - Wonk/Ago and unknown chinese subject "ey4s", from XFocus group, cooperating to make LSASS exploit work on all versions of Windows OS. Wonk/Ago acknowledges that the vulnerability was fixed in the last patch, but that most people have not applied the patches yet. Working exploit for all versions of Windows finished. 04/26/2004 - LSASS exploit added to source code for AgoBot. Members of AgoBot development team start to use LSASS enabled bots to compromise computers. 05/01/2004 - Wonk/Ago creates code that enables PhatBot/AgoBot to take advantage of Sasser Worm spread by compromising the Sasser Worm and causing PhatBot to be installed on the compromised computer when the command shell is opened on port 9996.
